Privacy policy




This Personal Data Protection Policy of Madmind Studio S.A. (229 Grunwaldzka Street, 85-459 Bydgoszcz) (hereinafter referred to as the Company) was created based on an analysis of the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of individuals with different probability and severity of threat. Its primary purpose is to regulate all areas that relate to data processing and the technical and organizational measures adopted in the Company.



  1. Glossary

The terms used in the Personal Data Protection Policy (PODO) shall be understood as:

  1. controller - the Company, i.e. a legal entity that alone or jointly with others determines the purposes and means of processing personal data;

  2. audit - a systematic, independent and documented process of obtaining audit evidence and objectively evaluating it to determine the extent to which audit criteria are met;

  3. personal data - means information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

  4. Company - Madmind Studio S.A.

  5. Security incident - any detected breach or detected attempt to breach the security of personal data being a violation of the Company's internal regulations or generally applicable laws; the source of a security incident may be either an accidental or intentional act or omission thereof by employees / associates or persons with the assistance of whom the Company performs its activities;

  6. Data Protection Officer (IOD) - a person appointed to perform the tasks indicated in Article 39 of the RODO;

  7. integrity - the property that an ICT system resource has not been modified in an unauthorized manner;

  8. personal data breach - means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed;

  9. risk assessment - a process aimed at estimating the severity of a risk understood as a function of the likelihood of an effect and the criticality of its consequences for the rights or freedoms of individuals whose personal data the Company processes;

  10. supervisory authority - the President of the Office for Personal Data Protection (PUODO);

  11. processor - means a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the controller;

  12. personal data protection policy (PODO) - this document, by which is meant a set of effective, documented security policies and procedures, together with a plan for their implementation and enforcement;

  13. risk handling - the process of modifying risk; risk handling may include, for example, avoiding risk by deciding not to start or continue risk-causing activities, removing the source of risk, retaining risk based on a conscious decision.

  14. confidentiality - the property of ensuring that personal data is not shared or disclosed to unauthorized individuals;

  15. data processing - a series of interrelated activities or tasks that solve a specific problem or lead to a specific effect using personal data;

  16. profiling - means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyze or forecast aspects of that individual's performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement;

  17. processing - means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, erasing or destroying;

  18. RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

  19. accountability - the property of an IT resource meaning that actions performed on it can be unambiguously attributed to the person or IT system performing them;

  20. risk - the probability that a threat will exploit a vulnerability causing an effect;

  21. information and communication system - a set of cooperating IT devices and software, ensuring processing and storage, as well as sending and receiving data via telecommunication networks by means of a terminal device appropriate for a given type of network, within the meaning of the Act of July 21, 2000. - Telecommunications Law;

  22. personal data protection system (SODO) - personal data protection policies, procedures, guidelines, related resources and activities, jointly managed by the Company striving to protect the personal data it processes;

  23. user - an employee or associate of the Company, as well as other persons with the help of whom the Company performs its activities, who are authorized to work in the ICT system in accordance with their job responsibilities and assigned rights;

  24. business owner - the person responsible for the operation and continuous improvement of a given data processing process;

  25. threat - a factual condition that may cause a breach of personal data security.


  1. Legal basis

This Personal Data Protection Policy is based on:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as RODO);

  2. The Law of May 10, 2018 on the Protection of Personal Data (UODO);

  3. The Act of July 18, 2002 on the provision of services by electronic means (hereinafter referred to as the SGEI);

  4. The Law of July 16, 2004. Telecommunications Law (hereinafter referred to as PT);

  5. PN-ISO/IEC 27001:2013;

  6. PN-ISO/IEC 27005:2014;

  7. Guidelines of the Article 29 Data Protection Working Group, i.e.:

  1. Guidelines on Data Protection Officers ('DPOs') dated December 13, 2016;

  2. Guidelines on Data Protection Impact Assessment (DPIA) and the determination of whether processing is "highly likely to result in a high risk," for the purposes of Regulation 2016/679, dated April 4, 2017;

  3. Guidelines on the right to data portability, dated December 13, 2016;

  4. Guidelines for determining the lead supervisory authority with jurisdiction over a controller or processor, dated December 13, 2016.

  1. Purpose and scope of PODO

  1. The purpose of the PODO is to provide an organizational basis for the implementation of the Company's personal data protection system.

    1. The PODO applies to all personal data held by the Company regardless of how such data is processed.

    2. The principles established in the PODO shall be applied by all persons employed by / working with the Company.


  1. Rights and obligations of Employees/Cooperators of Company

  1. Comply with the principles and obligations set forth in the PODO and as indicated in other personal data protection procedures;

    1. Ensure confidentiality with respect to all personal data processed at the Company;

    2. Not disseminate personal data subject to protection;

    3. Maintain the confidentiality of personal data at the Company to the extent related to the performance by employees and associates of their tasks for the Company shall not expire upon termination of the employment/cooperation relationship;


  1. Principles of fulfilling the requests of personal data subjects

  1. In accordance with the RODO, each data subject shall have the opportunity to exercise his or her rights and, for this purpose, apply to the Company.

    1. The data subject shall have the following rights:

  • Access to information about the data subject;

  • Correction of data;

  • Deletion of data "right to be forgotten";

  • Restriction of processing of personal data;

  • Data portability;

  • Objection to data processing;

  • Revocation of consent.

  1. The submission of a request by the data subject shall be made possible in any form, and it is recommended that the request (request, inquiry, complaint, etc.) be recorded at least in the form of an e-mail for evidentiary purposes.

    1. Any request submitted should first be verified for the person's authority to submit it. Particular caution should be exercised in cases where a re-presentation is made for the data subject. Then the correctness of the repre-representation should be verified first.

    2. Requests shall be processed only if submitted by an authorized person, i.e. the data subject or a duly authorized person.

    3. Verbal inquiries, including those made by telephone, shall never be answered unless the Company is able to confirm the identity of the caller.

    4. Requests shall be considered taking into account their content and not their title.

    5. The request shall be consulted and considered with the assistance of persons responsible for legal support of the Company.

    6. Responses to requests shall be given without undue delay - and in any case within a period of one month from receipt of the request.

    7. If necessary, this term may be extended for another two months due to the complexity of the request or the number of requests. Within one month of receipt of the request, the Company shall inform the data subject of such extension, stating the reasons for the delay.

    8. If the Company does not act on the data subject's request, it shall promptly - no later than one month after receipt of the request - inform the data subject of the reasons for its failure to act and of the possibility of lodging a complaint to the supervisory authority and availing itself of legal remedies before the courts.

  1. Procedure for granting authorization to proces personal data

  1. Before granting the authorization, the competent person of the Company is obliged to provide the User with access to internal documents on personal data protection. The User's signatures next to the relevant declarations included in the authorization are a formal confirmation that he/she is acquainted with the aforementioned documents. A model of the authorization together with the statement is attached as Appendix 1 to this Policy.

    1. Any User who is to have access to personal data must be authorized to process personal data. Authorizations are granted in traditional (paper) or electronic form.

    2. Authorizations shall be granted by the Administrator or an authorized person.

    3. Detailed rules for granting authorizations to IT systems, are described in the Instruction for the management of IT systems for the processing of personal data.

    4. The withdrawal of authorization and entitlements shall occur in particular when one of the following situations occurs:

  • termination of employment relationship / termination of cooperation under a civil law contract;

  • change in the scope of responsibilities under the employment contract / civil law contract.

  1. If any of the circumstances referred to in para. 5). priority is the revocation of rights to information and communication systems to which the User had access.

    1. If a User's absence from work lasts longer than 30 days, the immediate supervisor shall be obliged to inform the relevant IT system administrator in order to block access (temporary blocking of rights).

    2. The relevant IT system administrator shall block the privileges to all systems to which the User has access.

    3. The procedure for unblocking authorizations is carried out in the same way as the blocking of authorizations (the User's immediate supervisor informs the relevant ad-ministrator of the information and communication system about the User's return to work in order to unblock accounts in the systems).

    4. The Human Resources Department is responsible for maintaining the Register of Authorized Persons. A person designated by the Human Resources Manager shall record the fact of granting authorizations in the Register of Authorized Persons.

    5. The Register of Authorized Persons is kept in the Human Resources Department.


  1. Data Retention Policy

    1. It is required to ensure that the data retention period is limited to a strict minimum.

    2. In order to prevent the retention of personal data for a longer period than necessary, the Company shall establish a date or criteria for establishing retention periods, after which the data shall be deleted or anonymized.

    3. The data retention deadlines shall be set by the Board of Directors.

    4. Notwithstanding the above, each employee/co-worker shall periodically review the personal data on which he/she works in terms of its suitability for the Company's business operations. This means, in particular, reviewing: mailboxes, folders such as "Downloaded", "Deleted", files saved elsewhere on the disk (local or network), copies or originals of documents held, correspondence, printouts, working notes, etc.

    5. Where unnecessary files/documents/messages are identified - they shall be permanently deleted by the employee/co-worker.

    6. Wherever reference is made to forms or documentation subject to storage, it shall also be understood as electronic forms (scans saved on disks, e-mails, entries in the computer system).

  2. Principles of personal data protection in relations with suppliers

  1. Prior to cooperation, personal data security requirements should be agreed with the supplier and documented in order to reduce the risks associated with the supplier's access to the Company's data.

    1. The subject of regulation should be both procedural aspects and specific technical requirements to be met by the supplier.

    2. The employee directly responsible for cooperation with the supplier in cooperation with his/her immediate supervisor shall regularly monitor, review and audit the provision of external services.

    3. Prior to the start of cooperation with a supplier who is to obtain the status of a processor as a result of concluding a contract, i.e. to gain access to personal data of which the Company is the controller or which the Company processes as a processor, it is necessary to document that such a provider will provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the RODO and protects the rights of data subjects.

    4. It is the responsibility of each employee or associate of the Company engaging the provider to verify that the service provider is prepared to provide the service in terms of RODO.

    5. The final selection of a provider is always at the Company's business discretion.

    6. Formal confirmation of compliance with the requirements referred to above shall be the supplier's confirmation that it meets the minimum requirements for technical measures indicated indicated in Article 32 of the RODO.

    7. The Company, prior to entering into an entrustment agreement, shall send a verification sheet to the supplier for the supplier's compliance with the regulations on personal data protection. The sheet is attached as Appendix No. 2 to this Policy.

    8. The processing of data by the supplier may be carried out only on the basis of an agreement that specifies the issues indicated in Article 28 of the RODO.

  1. Audit

  1. The PODO should be audited regularly. at least once a year

    1. The following are authorized to conduct audits, each to the appropriate extent:

  • persons employed as internal auditors;

  • external entities with the approval of the Company's Board of Directors.

  1. The conduct of an audit requires the preparation of an audit plan, which specifies, among other things, the purpose, criteria, subject and object scope.

    1. The results of the audit shall be presented to the head of the department covered by the audit activity and to the Company's Board of Directors.


  1. Registry of processing activities and categories of processing activities

  1. The Register of Processing Activities (RCP) shall be maintained and updated by an authorized person with the support of the Company's Board of Directors.

    1. The RCP shall be maintained on a form dedicated for this purpose in written form and in electronic form.

    2. The RCP must contain all the elements indicated in Article 30 (1) of the RODO.

    3. In the case of planning the creation of a new process / new processing activity - the person responsible for the organization of the new process is obliged to inform the Company's Management Board about this process in advance in order to include the new processing activity in the RPC.

    4. If there are changes in relation to existing processes / processing activities that make it obligatory to update the T&A - the person responsible for the process is obliged to the person authorized to maintain the T&A.

    5. Maintenance of the Register of Categories of Processing Activities (RKCP) shall be incumbent on the Company when acting as Processor, i.e. when it processes personal data of individuals on behalf of and for the benefit of another controller of such data.

    6. The RKCP shall be conducted on a form dedicated for this purpose in written form and in electronic form.

    7. The RKCP must contain all the elements indicated in Article 30(2) of the RODO.


  1. Development principles for new processes

  1. It is required that each owner of the designed process, before the implementation of the process and prior to the acquisition of personal data, shall make a prior decision of the Company's legal support persons.

    1. The decision to implement the designed process is always at the Company's business discretion.

    2. The implementation of this Procedure results in the fact that such decision should be made based on previously:

  • the analysis of the process in terms of personal data protection that has been carried out,

  • the formulated conclusions resulting from the aforementioned analysis;

  • the opinion provided by the Company's legal support persons.

  1. Procedure for reporting data protection violations:

  • personal data breach - a security breach leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed,

  • incident - an event or accident that constitutes a potential breach of personal data protection,

  • data confidentiality breach - a breach resulting in unauthorized or accidental disclosure or unauthorized access to personal data,

  • data integrity breach - a breach resulting in unauthorized or accidental modification of personal data,

  • violation concerning data availability - a violation resulting in the accidental or unauthorized destruction of personal data,

  • depending on the circumstances - a breach may involve both confidentiality, integrity and availability of data, as well as any combination of two of these three categories of breaches.

    1. The reasons for a data breach are divided into:

  • Internal unintentional actions e.g. accidental human error,

  • Internal intentional actions e.g. intentional disclosure of personal data by an employee,

  • external unintentional actions e.g. flooding resulting in loss of data stored on servers,

  • external intentional actions e.g. a hacking attack targeting the Company, resulting in the theft of customers' personal data.

  1. Any employee who has information about an attack, incident or other breach, or a reasonable suspicion of an attack, incident or breach of personal data security, shall immediately notify the Board of Directors of the fact in question.

    1. The Board of Directors, upon receipt of the notification referred to in paragraph 1, shall immediately:

- conduct an investigation to determine the circumstances of the personal data security breach,

-take measures to protect the system from recurrence of the breach,

-inform the persons supporting the Company in legal terms.

    1. The Company's legal support person shall, on the basis of the evidence and the protocol, and after any additional investigation, e.g., sending follow-up questions / clarifying the nature of the incident, assess the incident in terms of the state of the breach, its level of risk and its impact on the rights and freedoms of the data subject(s).

    2. All actions related to the proceedings described above shall not violate the evidence.

    3. The Board of Directors of the Company, after reviewing the description of the incident, shall decide on the further course of action, notifying the competent authorities and taking other specific measures to ensure the security of the information system or the application of physical protection measures.

    4. If the violation may result in medium or high risk of violation of rights and freedoms of the data subject, the DPO, through the Legal Department, shall send the relevant information to the Company's Management Board together with a form for notification of violation of personal data protection to the DPA (current forms can be found at and information as to when the notification should be made (as a rule, no later than within 72 hours from the moment of determining that the incident constitutes a violation - notification after this deadline requires a justification for the delay).

    5. In the case of a high risk of violation of rights and freedoms, the data subject (who has been affected) must also be notified of the violation. In order to fulfill this requirement, the DPO shall send a proposal for the content of such communication to those responsible for the Company's legal support.

    6. The Company shall keep a Breach Register notifying each incident or breach of personal data protection on an ongoing basis.

  1. Final Remarks

    1. In the event of significant changes, an ad hoc review should be conducted to review the rules and possibly adapt the PODO to changes in the organizational environment, business conditions, technical environment, as well as in terms of compliance with common law.


  2. Contact info:

This email address is being protected from spambots. You need JavaScript enabled to view it.
Grunwaldzka 229
85-451 Bydgoszcz
+48 793 148 865


Appendix No. 1




Małgorzata Górska

Due to the fact that from the scope of commissioned tasks or official duties of the Authorized Person, pertaining to the employment contract (hereinafter "Contract") concluded with the Company Madmind Studio S.A. with its registered office in Bydgoszcz, hereinafter "Data Controller" or "Company"), it is necessary to access the personal data processing area and stay

therein independently and to perform in person, by means of IT systems or in paper form, operations on personal data collected in data sets administered by the Company, Data Controller pursuant to Article 29 of the General Data Protection Regulation of April 27, 2016 (2016/679) (RODO):


authorizes you to process personal data within the scope of the tasks indicated in the above Agreement.

In order to protect information, including personal data, from unauthorized access, unwarranted modification or destruction, unlawful disclosure or acquisition, the Authorized Person is required to comply with the RODO, other regulations on information processing

as well as the Company's Information Protection Policies and Procedures.


The obligation in particular concerns:

  1. maintaining the secrecy of personal data and data constituting the Company's secrets, in particular, the following not disclosed to the public: data of clients and customers, business offers, terms and conditions of contracts and agreements, financial data, plans, to which the Authorized Person has or will have access in connection with the performance of official tasks, duties or commissioned tasks;

  2. supervise, to the extent appropriate to the duties, the processing of personal data in the Company;

  3. not to use personal data for non-service purposes or inconsistent with the assignment;

  4. not to disclose passwords and details of the operation and security of systems to outsiders;

  5. regularly change passwords for accounts and systems related to the processing of personal data;

  6. use IT equipment and infrastructure in accordance with the Company's internal procedures;

  7. inform the Company of any noticed irregularities in the processing of information and personal data.

Conduct contrary to the above-mentioned obligations may be considered by the Company as a severe breach of the Agreement - including, respectively: breach of employee duties within the meaning of

Article 52 § 1 item 1 of the Labor Code or for violation of contractual/contractual terms and conditions, and

for violation of business secrets within the meaning of Article 11(4) of the Act on Combating Unfair Competition of April 16, 1993, which may result in a fine or monetary penalty, termination of the Agreement, as well as criminal liability as provided by the Act or other relevant laws.


The authorization is granted for the term of the Agreement or until revoked.

On behalf of the Data Controller:




I certify that I have been informed of the Company's rules for the protection of information, including personal data and company secrets, have received this authorization, have understood its contents and fully accept its scope, and undertake to comply with my professional obligations regarding the processing of personal data, and arising from the concluded Agreement and this authorization.


(date and signature)












Appendix No. 2


Verification questionnaire


The purpose of this questionnaire is to verify the potential contractor to whom the Company intends to entrust the processing of personal data in terms of whether it provides sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as RODO) and protecting the rights of data subjects (Article 28(1) of the RODO).


General characteristics


Full name of the organisation, registered office address (in accordance with CEIDG/KRS)

Actual place of business (if different from the registered office address)

A brief description of the industry in which the organization operates:


Website address:

Number of employees:

Person completing the questionnaire

(name, surname, e-mail, phone number):

Organizational measures

Has the organisation appointed a Data Protection Officer (DPO)?

If you appoint a DPO, please indicate the contact details of this person

Have employees/associates been trained in data protection? If so, please indicate the date of the last training.

Have employees/associates been authorized to process personal data?

How have employees/associates been obliged to keep their personal data confidential and informed about the organisational and technical measures to protect them?

Please mention by name 3-4 procedures designed to ensure the protection of personal data in the organization and indicate their scope in general.

Has the organisation assessed the risks associated with the processing of personal data? Please indicate the date of the above-mentioned activities.

Does the organisation regularly review its organisational and technical measures? If so, when was the last time such a review was performed?

Has your organization developed and implemented procedures for reporting personal data breaches?

Technical measures

Please list 3-4 of the technical measures used (in general terms) and indicate the criteria on the basis of which it was decided to apply these measures.

Have you identified IT systems in your organization for the processing of personal data?

Has the organization regulated access to IT systems and the manner of exercising and granting authorizations to work with the IT system?

Subcontractors/Third Countries

Does your organization use third-party help? If so, please indicate the areas of such cooperation, e.g. an external archive in which archival paper documentation is stored,

In the case of establishing cooperation with our company, would the organization use subcontractors who will have access to the entrusted data? If so, please indicate the areas that would be outsourced.

Does the organisation transfer personal data outside the European Economic Area (EEA)? If so, to which countries?